From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Wed, 8 Feb 2023 00:40:09 -0800 Subject: fork https://github.com/mattsta/mailweb --- ansible/roles/nginx/tasks/main.yml | 118 +++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 ansible/roles/nginx/tasks/main.yml (limited to 'ansible/roles/nginx/tasks') diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..73469a1 --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yml @@ -0,0 +1,118 @@ +--- +- name: emerge, nginx with extra modules! + apt: + pkg: nginx-extras + state: latest + +# Keep 32 logs +- name: adjust nginx logrotate keep files + lineinfile: + state: present + path: /etc/logrotate.d/nginx + regexp: "^(\\s+)rotate " + line: "\\1rotate 32" + backrefs: yes + +# And only rotate when they grow larger than 1 GB +- name: adjust nginx logrotate trigger rolls + lineinfile: + state: present + path: /etc/logrotate.d/nginx + regexp: "minsize" + line: "minsize 1G" + insertafter: "rotate \\d+" + +- name: verify nginx isn't serving default pages + file: + path: /etc/nginx/sites-enabled/default + state: absent + notify: + - reload nginx + +- name: verify nginx proxy cache dir exists + file: + path: /var/nginx/proxy-cache + owner: www-data + state: directory + +- name: verify nginx cpu affinity + lineinfile: + state: present + path: /etc/nginx/nginx.conf + regexp: "^worker_cpu_affinity " + line: "worker_cpu_affinity auto;" + insertafter: '^worker_processes ' + notify: + - reload nginx + +- name: drop keepalive from nginx conf because we set it custom + lineinfile: + state: absent + path: /etc/nginx/nginx.conf + regexp: "^\\s+keepalive_timeout" + notify: + - reload nginx + +- name: copy config extensions + copy: + src: conf.d + dest: /etc/nginx/ + notify: + - reload nginx + +- name: copy shared tls settings + copy: + src: tls/ + dest: /etc/nginx/ + notify: + - reload nginx + +- name: generate our templated basic sites + template: + src: basic-site.conf.j2 + dest: "/etc/nginx/sites-available/{{ item.domain }}" + loop: "{{ nginx.basic }}" + notify: + - reload nginx + +- name: copy our more complex sites we don't want templated + copy: + src: "servers/{{ item }}" + dest: /etc/nginx/sites-available/ + loop: "{{ nginx.complex }}" + notify: + - reload nginx + +- name: activate our nginx site configs + file: + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" + state: link + loop: "{{ nginx.complex }}" + notify: + - reload nginx + +- name: activate our nginx site templates + file: + src: "/etc/nginx/sites-available/{{ item.domain }}" + dest: "/etc/nginx/sites-enabled/{{ item.domain }}" + state: link + loop: "{{ nginx.basic }}" + notify: + - reload nginx + +- name: remove disabled sites + file: + src: "/etc/nginx/sites-enabled/{{ item }}" + state: absent + loop: "{{ nginx.disabled | default([]) }}" + notify: + - reload nginx + +- name: reload if certs newish + include_role: + name: certreload + vars: + certreload: + notifiers: + - reload nginx -- cgit v1.2.3